We have a new neighbor that has recently moved in our building. We are considering (and most likely are) going to provide internet access to this person from our pipe. At the same time we set this up, we intend on splitting off some of our servers into a DMZ. Our new neighbor's will be supplying us with a Cisco Pix for their routing/security purposes. I have a few questions on general routing and what can and can't be done.
The IP Space allocated to us includes a /26 and a /24 which is honestly a fairly big waste and came about as a result of our requesting a /24 from the ARIN and our ISP never deallocated the /26 despite our informing them to do so. Ironically at this point I believe having that extra subnet will be able to help me simplify things a bit when configuring the new design (Granted even now i only need a /29 based on what i have visualized).
Our current network looks like: ISP ATM Switch <> ISP Router <> Our Router <> Our Network
ATM switch inside and ISP router outside are connected via ethernet and routed tcp using a /30. On the inside of the ISP Router they have configured x.x.x.193 /26 and x.x.x.1 /24. What I'm looking to do is break the the network down to get rid of a hideously overly complex access list on our router. What I have envisioned is the following:
(x.x.x.193 /26 x.x.x.1 /24)
| | |
(x.x.x.194 /29) (x.x.x.195 /29) (x.x.x.196 /29)
New 1811 1721 Their Pix
(x.x.x.2 /24) (192.168.1.1 /24) (192.168.2.1 /24)
| | |
DMZ Our Network Their Network
The problem I see arising is that I do not think the /24 will route down to my DMZ if it is configured on the ISP router meaning that I'd need to break it so that the outside interface has a .2 /30 as a secondary and the inside interface .129 /25 and a bunch of secondarys to fill the rest of the subnet with a lot of wasted space.
Secondly, does the 1721 router need an access list at all if all internal traffic is natted (patted I guess) through the interface ip?
Or Suggest a totally different idea that is better than mine.